Add a test for potential DNS leaks via symbol interposition.

We build variants of kinit and test_acquire_cred that define their own symbols rk_dns_lookup, gethostbyname, gethostbyname2, and getaddrinfo to print a message and abort. For getaddrinfo, we abort only if the caller failed to specify AI_NUMERICHOST; otherwise we use dlsym(RTLD_NEXT, "getaddrinfo") instead. The new test tests/gss/check-nodns is like tests/gss/check-basic, but uses kinit_auditdns and test_acquire_cred_auditdns to verify that no DNS resolution happens. This test should work and be effective on ELF platforms where the getaddrinfo function is implemented by the symbol `getaddrinfo'. On non-ELF platforms it may not be effective -- and on platforms where the getaddrinfo function is implemented by another symbol (like `__getaddrinfo50') it may not work, but we can cross that bridge when we come to it. Verified manually that the test fails, with the expected error message and abort, without `block_dns = yes' in krb5-nodns.conf. No automatic test of the mechanism for now because it might not work on some platforms. XXX check-nodns.in is copypasta of check-basic.in, should factor out the common parts so they don't get out of sync.
2024-01-07 21:44:29 +00:00 · 2024-01-07 21:44:29 +00:00 · ad23636db8
commit ad23636db8
parent e2c0d98965
8 changed files with 411 additions and 4 deletions
--- a/appl/test/Makefile.am
+++ b/appl/test/Makefile.am
@ -5,7 +5,8 @@ include $(top_srcdir)/Makefile.am.common
 WFLAGS += $(WFLAGS_LITE)

 noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \
-	uu_server uu_client nt_gss_server nt_gss_client http_client
+	uu_server uu_client nt_gss_server nt_gss_client http_client \
+	kinit_auditdns

 tcp_client_SOURCES = tcp_client.c common.c test_locl.h

@ -38,6 +39,25 @@ nt_gss_client_LDADD = $(gssapi_server_LDADD)

 nt_gss_server_LDADD = $(nt_gss_client_LDADD)

+kinit_auditdns_SOURCES = ../../kuser/kinit.c auditdns.c
+
+kinit_auditdns_CPPFLAGS = $(AM_CPPFLAGS) -I$(srcdir)/../../lib/krb5
+
+# sync with kinit_LDADD in kuser/Makefile.am
+if !NO_AFS
+afs_lib = $(LIB_kafs)
+endif
+kinit_auditdns_LDADD = \
+	$(afs_lib) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/gssapi/libgssapi.la \
+	$(top_builddir)/lib/gss_preauth/libgss_preauth.la \
+	$(top_builddir)/lib/ntlm/libheimntlm.la \
+	$(LIB_hcrypto) \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_libintl) \
+	$(LIB_roken)
+
 LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
 	$(LIB_hcrypto) \
 	$(top_builddir)/lib/asn1/libasn1.la \
--- a/appl/test/auditdns.c
+++ b/appl/test/auditdns.c
@ -0,0 +1,96 @@
+/*-
+ * Copyright (c) 2024 Taylor R. Campbell
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <dlfcn.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "resolve.h"
+
+struct rk_dns_reply *
+rk_dns_lookup(const char *domain, const char *type_name)
+{
+
+    fprintf(stderr, "DNS leak: %s %s (%s)\n", __func__, domain, type_name);
+    abort();
+}
+
+struct hostent *
+gethostbyname(const char *name)
+{
+
+    fprintf(stderr, "DNS leak: %s %s\n", __func__, name);
+    abort();
+}
+
+#ifdef HAVE_GETHOSTBYNAME2
+
+struct hostent *
+gethostbyname2(const char *name, int af)
+{
+
+    fprintf(stderr, "DNS leak: %s %s\n", __func__, name);
+    abort();
+}
+
+#endif	/* HAVE_GETHOSTBYNAME2 */
+
+#ifdef HAVE_GETADDRINFO
+
+typedef int getaddrinfo_fn_t(const char *, const char *,
+    const struct addrinfo *restrict,
+    struct addrinfo **restrict);
+getaddrinfo_fn_t getaddrinfo;
+int
+getaddrinfo(const char *hostname, const char *servname,
+    const struct addrinfo *restrict hints,
+    struct addrinfo **restrict res)
+{
+    void *sym;
+
+    if (hints == NULL ||
+	(hints->ai_flags & AI_NUMERICHOST) == 0 ||
+	(hints->ai_flags & AI_CANONNAME) != 0) {
+	fprintf(stderr, "DNS leak: %s %s:%s\n",
+	    __func__, hostname, servname);
+	abort();
+    }
+
+    if ((sym = dlsym(RTLD_NEXT, __func__)) == NULL) {
+	fprintf(stderr, "dlsym(RTLD_NEXT, \"%s\") failed: %s\n",
+	    __func__, dlerror());
+	return EAI_FAIL;
+    }
+
+    return (*(getaddrinfo_fn_t *)sym)(hostname, servname, hints, res);
+}
+
+#endif	/* HAVE_GETADDRINFO */
--- a/kuser/Makefile.am
+++ b/kuser/Makefile.am
@ -26,6 +26,7 @@ libexec_PROGRAMS = kdigest kimpersonate

 noinst_PROGRAMS = kverify kdecode_ticket generate-requests

+# sync with kinit_auditdns_LDADD in appl/test/Makefile.am
 kinit_LDADD = \
 	$(afs_lib) \
 	$(top_builddir)/lib/krb5/libkrb5.la \
--- a/lib/gssapi/Makefile.am
+++ b/lib/gssapi/Makefile.am
@ -381,7 +381,7 @@ TESTS = test_oid test_names test_cfx

 test_cfx_SOURCES = krb5/test_cfx.c

-check_PROGRAMS = test_acquire_cred $(TESTS)
+check_PROGRAMS = test_acquire_cred test_acquire_cred_auditdns $(TESTS)

 bin_PROGRAMS = gsstool gss-token
 noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm test_add_store_cred
@ -389,6 +389,9 @@ noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm test_add_store_cre
 test_context_SOURCES = test_context.c test_common.c test_common.h
 test_ntlm_SOURCES = test_ntlm.c test_common.c test_common.h
 test_acquire_cred_SOURCES = test_acquire_cred.c test_common.c test_common.h
+test_acquire_cred_auditdns_SOURCES = \
+	test_acquire_cred.c test_common.c test_common.h \
+	../../appl/test/auditdns.c

 test_add_store_cred_SOURCES = test_add_store_cred.c

--- a/tests/bin/setup-env.in
+++ b/tests/bin/setup-env.in
@ -38,6 +38,7 @@ kdigest="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kdigest"
 kgetcred="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kgetcred"
 kimpersonate="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kimpersonate"
 kinit="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kinit"
+kinit_auditdns="${TESTS_ENVIRONMENT} ${top_builddir}/appl/test/kinit_auditdns"
 klist="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/heimtools klist"
 kpasswd="${TESTS_ENVIRONMENT} ${top_builddir}/kpasswd/kpasswd"
 kpasswdd="${TESTS_ENVIRONMENT} ${top_builddir}/kpasswd/kpasswdd"
--- a/tests/gss/Makefile.am
+++ b/tests/gss/Makefile.am
@ -4,9 +4,9 @@ include $(top_srcdir)/Makefile.am.common

 .NOTPARALLEL:

-noinst_DATA = krb5.conf new_clients_k5.conf mech
+noinst_DATA = krb5.conf krb5-nodns.conf new_clients_k5.conf mech

-SCRIPT_TESTS = check-basic check-gss check-gssmask check-context check-spnego check-ntlm check-negoex
+SCRIPT_TESTS = check-basic check-nodns check-gss check-gssmask check-context check-spnego check-ntlm check-negoex

 TESTS = $(SCRIPT_TESTS)

@ -47,6 +47,11 @@ check-basic: check-basic.in Makefile
 	chmod +x check-basic.tmp && \
 	mv check-basic.tmp check-basic

+check-nodns: check-nodns.in Makefile
+	$(do_subst) < $(srcdir)/check-nodns.in > check-nodns.tmp && \
+	chmod +x check-nodns.tmp && \
+	mv check-nodns.tmp check-nodns
+
 check-ntlm: check-ntlm.in Makefile
 	$(do_subst) < $(srcdir)/check-ntlm.in > check-ntlm.tmp && \
 	chmod +x check-ntlm.tmp && \
@ -61,6 +66,10 @@ krb5.conf: krb5.conf.in Makefile
 	$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp && \
 	mv krb5.conf.tmp krb5.conf

+krb5-nodns.conf: krb5-nodns.conf.in Makefile
+	$(do_subst) < $(srcdir)/krb5-nodns.conf.in > krb5-nodns.conf.tmp && \
+	mv krb5-nodns.conf.tmp krb5-nodns.conf
+
 new_clients_k5.conf: new_clients_k5.conf.in Makefile
 	$(do_subst) < $(srcdir)/new_clients_k5.conf.in > new_clients_k5.conf.tmp && \
 	mv new_clients_k5.conf.tmp new_clients_k5.conf
@ -77,12 +86,14 @@ CLEANFILES= \
 	krb5ccfile-ds \
 	server.keytab \
 	krb5.conf \
+	krb5-nodns.conf \
 	new_clients_k5.conf \
 	mech \
 	current-db* \
 	*.log \
 	tempfile \
 	check-basic.tmp \
+	check-nodns.tmp \
 	check-gss.tmp \
 	check-gssmask.tmp \
 	check-spnego.tmp \
@ -92,6 +103,7 @@ CLEANFILES= \
 EXTRA_DIST = \
 	NTMakefile \
 	check-basic.in \
+	check-nodns.in \
 	check-gss.in \
 	check-gssmask.in \
 	check-spnego.in \
--- a/tests/gss/check-nodns.in
+++ b/tests/gss/check-nodns.in
@ -0,0 +1,219 @@
+#!/bin/sh
+#
+# Copyright (c) 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden). 
+# All rights reserved. 
+#
+# Redistribution and use in source and binary forms, with or without 
+# modification, are permitted provided that the following conditions 
+# are met: 
+#
+# 1. Redistributions of source code must retain the above copyright 
+#    notice, this list of conditions and the following disclaimer. 
+#
+# 2. Redistributions in binary form must reproduce the above copyright 
+#    notice, this list of conditions and the following disclaimer in the 
+#    documentation and/or other materials provided with the distribution. 
+#
+# 3. Neither the name of the Institute nor the names of its contributors 
+#    may be used to endorse or promote products derived from this software 
+#    without specific prior written permission. 
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+# SUCH DAMAGE. 
+#
+# $Id$
+#
+
+env_setup="@env_setup@"
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+nokeytab="FILE:no-such-keytab"
+cache="FILE:krb5ccfile"
+cache2="FILE:krb5ccfile2"
+nocache="FILE:no-such-cache"
+
+kadmin="${kadmin} -l -r $R"
+kdc="${kdc} --addresses=127.0.0.1 -P $port"
+
+acquire_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_acquire_cred_auditdns"
+test_kcred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_kcred"
+test_add_store_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_add_store_cred"
+
+KRB5_CONFIG="${objdir}/krb5-nodns.conf"
+export KRB5_CONFIG
+
+KRB5_KTNAME="${keytab}"
+export KRB5_KTNAME
+KRB5CCNAME="${cache}"
+export KRB5CCNAME
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+${kadmin} \
+    init \
+    --realm-max-ticket-life=1day \
+    --realm-max-renewable-life=1month \
+    ${R} || exit 1
+
+echo upw > ${objdir}/foopassword
+
+${kadmin} add -p upw --use-defaults user@${R} || exit 1
+${kadmin} add -p upw --use-defaults another@${R} || exit 1
+${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1
+${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1
+
+echo "Doing database check"
+${kadmin} check ${R} || exit 1
+
+echo Starting kdc
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
+
+exitcode=0
+
+echo "initial ticket"
+${kinit_auditdns} -c ${cache} --password-file=${objdir}/foopassword user@${R} || exitcode=1
+
+echo "copy ccache with gss_store_cred"
+# Note we test that the ccache used for storing is token-expanded
+${test_add_store_cred} --default --overwrite --env ${cache} "${cache2}%{null}" || exit 1
+${klist} -c ${cache2} || exit 1
+
+echo "keytab"
+${acquire_cred} \
+    --acquire-type=accept \
+    --acquire-name=host@host.test.h5l.se || exit 1
+
+echo "keytab w/ short-form name and name canon rules"
+${acquire_cred} \
+    --acquire-type=accept \
+    --acquire-name=host@host || exit 1
+
+echo "keytab w/o name"
+${acquire_cred} \
+    --acquire-type=accept || exit 1
+
+echo "keytab w/ wrong name"
+${acquire_cred} \
+    --acquire-type=accept --kerberos \
+    --acquire-name=host@host2.test.h5l.se 2>/dev/null && exit 1
+
+echo "init using keytab"
+${acquire_cred} \
+    --kerberos \
+    --acquire-type=initiate \
+    --acquire-name=host@host.test.h5l.se > /dev/null || exit 1
+
+echo "init using keytab (loop 10)"
+${acquire_cred} \
+    --kerberos \
+    --acquire-type=initiate \
+    --loops=10 \
+    --acquire-name=host@host.test.h5l.se > /dev/null || exit 1
+
+echo "init using keytab (loop 10, target)"
+${acquire_cred} \
+    --kerberos \
+    --acquire-type=initiate \
+    --loops=10 \
+    --target=host@host.test.h5l.se \
+    --acquire-name=host@host.test.h5l.se > /dev/null || exit 1
+
+echo "init using keytab (loop 10, kerberos)"
+${acquire_cred} \
+    --acquire-type=initiate \
+    --loops=10 \
+    --kerberos \
+    --acquire-name=host@host.test.h5l.se > /dev/null || exit 1
+
+echo "init using keytab (loop 10, target, kerberos)"
+${acquire_cred} \
+    --acquire-type=initiate \
+    --loops=10 \
+    --kerberos \
+    --target=host@host.test.h5l.se \
+    --acquire-name=host@host.test.h5l.se > /dev/null || exit 1
+
+echo "init using existing cc"
+${acquire_cred} \
+    --kerberos \
+    --name-type=user-name \
+    --acquire-type=initiate \
+    --acquire-name=user || exit 1
+
+KRB5CCNAME=${nocache}
+
+echo "fail init using existing cc"
+${acquire_cred} \
+    --kerberos \
+    --name-type=user-name \
+    --acquire-type=initiate \
+    --acquire-name=user 2>/dev/null && exit 1
+
+echo "use gss_krb5_ccache_name for user"
+${acquire_cred} \
+    --kerberos \
+    --name-type=user-name \
+    --ccache=${cache} \
+    --acquire-type=initiate \
+    --acquire-name=user >/dev/null || exit 1
+
+KRB5CCNAME=${cache}
+KRB5_KTNAME=${nokeytab}
+
+echo "kcred"
+${test_kcred} || exit 1
+
+${kdestroy} -c ${cache}
+
+KRB5_KTNAME="${keytab}"
+
+echo "init using keytab"
+${acquire_cred} \
+    --kerberos \
+    --acquire-type=initiate \
+    --acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1
+
+echo "init using keytab (ccache)"
+${acquire_cred} \
+    --kerberos \
+    --acquire-type=initiate \
+    --ccache=${cache} \
+    --acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1
+
+trap "" EXIT
+
+echo "killing kdc (${kdcpid})"
+kill ${kdcpid} 2> /dev/null
+
+exit $exitcode
--- a/tests/gss/krb5-nodns.conf.in
+++ b/tests/gss/krb5-nodns.conf.in
@ -0,0 +1,55 @@
+include @srcdirabs@/include-krb5.conf
+
+[libdefaults]
+	default_keytab_name = @objdir@/server.keytab
+        enable-kx509 = yes
+        kx509_store = PEM-FILE:/tmp/cert_%{euid}.pem
+	default_realm = TEST.H5L.SE
+	kuserok = SYSTEM-K5LOGIN:@srcdir@/../kdc/k5login
+	kuserok = USER-K5LOGIN
+	kuserok = SIMPLE
+	block_dns = yes
+
+[realms]
+	TEST.H5L.SE = {
+		kdc = 127.0.0.1:@port@
+                auth_to_local_names = {
+                        user1 = mapped_user1
+                }
+	}
+
+[kdc]
+	enable-digest = true
+	allow-anonymous = true
+	digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+        strict-nametypes = true
+        synthetic_clients = true
+	enable_gss_preauth = true
+	gss_mechanisms_allowed = sanon-x25519
+	enable-pkinit = true
+	pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+	pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+	pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+#	pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+	pkinit_mappings_file = @srcdir@/pki-mapping
+	pkinit_allow_proxy_certificate = true
+
+	database = {
+		dbname = @objdir@/current-db
+		realm = TEST.H5L.SE
+		mkey_file = @objdir@/mkey.file
+                log_file = @objdir@/current.log
+	}
+
+[hdb]
+	db-dir = @objdir@
+        enable_virtual_hostbased_princs = true
+        virtual_hostbased_princ_mindots = 1
+        virtual_hostbased_princ_maxdots = 3
+        same_realm_aliases_are_soft = true
+
+[logging]
+	kdc = 0-/FILE:@objdir@/messages.log
+	default = 0-/FILE:@objdir@/messages.log
+
+include @srcdirabs@/missing-krb5.conf